On Windows, Acrobat 10.1 introduced a sandbox called Protected View (PV). With 11.0, the feature is improved and extended to Reader. PV is a highly secure, read-only mode that blocks most actions and application behavior until the user decides whether or not to trust the document.

Note

In Reader, Protected View is only supported when Protected Mode is enabled. There can by no HKCU or HKLM Protected Mode registry preference set to 0 (off) when Protected View is enabled.

PV is another defense-in-depth feature that is tightly integrated with the existing enhanced security feature. PV in Acrobat leverages the successful sandbox implementation already in place for Adobe Reader while providing a user experience that should be familiar to Microsoft Office 2010 users.

Under the covers, the PV sandbox is similar to Reader’s Protected Mode sandbox, but is built on a stronger model which provides greater protections. Just like Reader, Acrobat strictly confines the execution environment of untrusted programs; that is, any PDF and the processes it invokes. When PV is enabled, Acrobat assumes some or all PDFs are potentially malicious based on user preferences and confines processing to a restricted sandbox.

Due to the rich nature of Acrobat’s capabilities, Acrobat’s behavior with PV enabled is slightly more complex than Reader’s. The Acrobat team has specifically tailored application behavior for two types of scenarios: viewing PDFs with the standalone application and viewing PDFs with a browser. The rationale behind providing two protection experiences was driven by a need to preserve usability as well as the right level of functionality and security in each mode.

With 11.x, PV behaviors in the standalone product and the browser are identical.

In the standalone application, behavior is simple and parallels the Protected View provided by Office 2010. During a file download and/or save, web browsers and email programs typically mark documents such as Internet files and attachments with a “potentially unsafe” flag. When you open such a document, Acrobat displays a warning bar at the top of the viewing window. In this state, many of Acrobat’s features that interact with and change the document are disabled and the associated menu items are greyed out in order to limit user interaction.

The view is essentially read-only, and the disabled features prevent any embedded or tag-along malicious content from tampering with your system. Once you’ve decided to trust the document, choosing Enable All Features exits PV, re-enables all menu items, and provides permanent trust for the file by adding to enhanced security’s list of privileged locations (see Integration with enhanced security. The document is now open in a full, unsandboxed Acrobat process.

When a PDF is opened in a browser, Protected View provides a streamlined experience that doesn’t utilize a warning bar. Instead, browser-based PDFs provide a Reader-like experience for documents that have been “rights enabled.” That is, all of Reader’s features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Reader users. These features include signing existing form fields, adding new signature fields, saving form data, etc.

In this respect, a PDF in the browser’s Protected View is more capable than a PDF in the standalone Protected View. On the other hand, the browser-based capabilities are always limited while the standalone application enables users to achieve full functionality with a single click of a button.

Protected View can be enabled, disabled, and configured in other ways to provide the level of security you need. That is, you decide when and how to use Protected View based on your level of trust for the PDFs you interact with.

Go to Preferences > Security (Enhanced).

In the Protected View panel, select one of the following to set iProtectedView:

Registry configuration enables pre and post deployment configuration via the Customization Wizard, scripts, GPO, and other IT-centric methodologies. The application often uses internal keys that aren’t visible by default. If the requisite key does not exist, manually create it.

Logging is available for users who need to troubleshoot problems where a workflow or plugin does not work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.

In addition to enabling logging via the UI (above), you can turn on logging and configure a log file location via the registry.

To enable logging, specify a log file location:

Go to HKEY_CURRENT_USER\Software\Adobe\AdobeAcrobat\(version)\Privileged.

Right click and choose New > REG_SZ Value.

Create tBrokerLogfilePath.

Right click on tBrokerLogfilePath and choose Modify.

Set the value. For example: C:\DOCUME~1\<username>\LOCALS~1\Temp\BrL4FBA.tmp

Protected view prevents a number of actions which IT can bypass by creating a white list of allowed actions. The component that reads these policies is called a “broker.” The broker performs actions based on those policies, and when an admin provides a properly configured policy file, the broker can bypass the application’s default restrictions.

The broker first reads and applies all custom policies prior to applying the default policies. Since custom policies take precedence, they are useful for fixing broken workflows, supporting third party plug-ins, and cases where an unsupported machine configurations cause the Protected Mode to impair required functionality.

Configurable policies have two requirements:

They must reside in the Reader install directory adjacent to the AcroRd32.exe in the install folder:

While you can verify whether the application has Protected View enabled by viewing the Enhanced Security panel, it is also possible to verify the document you are currently viewing is subject to Protected View’s protections.

Note

When using the standalone application, verification should be obvious since a document that opens in Protected View displays the Yellow Message Bar.

To verify if the browser-based document you are viewing is opened in Protected View:

Open a PDF in a browser.

Right click on the document.

Choose Document Properties > Advanced tab. When Protected Mode or View is invoked, the status will be Protected Mode: On.

When Protected View cannot launch due to an unsupported configuration, a dialog alerts the user of the incompatibility and provides the user with the option to disable Protected View.

Unsupported configurations for Acrobat running in Protected View change across releases as the product evolves. For example, Protected Mode supports Citrix and Windows Terminal Services deployments with 10.1. For a list of unsupported configurations and workarounds, see http://kb2.adobe.com/cps/860/cpsid_86063.html.

Some of the high-level design criteria for Protected View include the following:

PDFs in a browser are more functional than PDFs in a Reader’s sandbox: For PV in a browser, the UI provides access to all of the features provided by Reader as well as the features that are available for any rights enabled document when viewed in Reader.

As secure as sandboxed Reader: Acrobat leverages the same technology and implementation as Reader and is just as secure.

Transitioning out of PV should be simple: In PV, exiting the read-only mode is as simple as choosing Enable All Features.

Disabled features should not be hidden: If a feature is not enabled in the sandbox, the UI still displays the disabled feature in the menu as a greyed out item.

Trust can be assigned to documents so that they bypass PV restrictions: Because of its integration with enhanced security, users can specify files, folders, and hosts as privileged locations that are not subject to PV trust restrictions. PDFs originating from a privileged location will not open in PV.

System requirements?

Due to the fundamental differences in OS and product implementations, sandbox designs must be tailored to each environment. The current release includes support for the following:

Adobe Acrobat 10.1 or later.

Windows 32 and 64 bit platforms, including XP SP3. Adobe’s initial efforts focus on hardening its Windows products because there are more Windows users and Windows applications with proven sandboxing implementations.

Protected View should be enabled all the time for casual users who interact with PDFs in unsecure environments. There are a limited number of cases where you might want to disable Protected View:

In enterprise settings where PDF workflows are entirely confined to trusted environments under an administrator’s control.

If you have third-party or custom plugins that cause issues when running in Protected View. For example, some workflows that use ActiveX plugins may not work by default.

How many processes should be running when I use Protected View?

Open the process explorer or task manager. When in Protected View, two AcroRd32.exe processes will be running alongside the Acrobat.exe process. More processes will appear based on how many browser instances you have viewing a PDF, invoked shell extensions, and iFilter.